Marcher Gets Close to Users by Targeting Mobile Banking, Android Apps, Social Media, and Email

Introduction

Marcher is an Android banking Trojan, first detected in 2013, that continually evolves to stay active. The longevity and evolution of this malware is not surprising, given that mobile banking malware is the quickest and easiest way to grab money from victims. In fact, the mobile banking malware market is so hot, it grew 400% in 2016, 81% of which targeted Android phones.1 That growth is somewhat expected since Android, with over 24,000 implementations, is the most popular smartphone operating system.2 That is a huge number of devices to test and secure, made more difficult by the fact that most Android phones are behind in critical patches and thus are more vulnerable to attack.3 As with any malware campaign, attackers must continually evolve to evade detection of their C&C servers and keep the cash flowing.

Marcher inspects its infected devices carefully by using a dedicated, hard-coded configuration in each Android Package Kit (APK), Google’s file format for distributing and installing application software (like mobile banking apps) on the Android OS. Each APK has the ability to target different financial institutions in specific geographical locations.

F5 research conducted in March 2017 followed 153 Marcher configuration files to uncover target and activity trends in the worldwide attack campaigns. Among the 153 configuration files, 54 distinct command and control (C&C) servers were detected. Of the 54 distinct C&C servers, 12 of them were online and operational (until F5 had them shut down in March), 10 were sink-holed, and 32 were already offline. The remaining 99 C&C servers were duplicated configurations from different APKs. This is likely due to configuration files being hardcoded within the APK, and old spam campaigns infecting different users, thus, old configurations still being detected in the wild.

Global View of March Targets

Analyzing the newest configuration files, Marcher’s March targets primarily focused on banks in Europe, followed by Australia, and then Latin America. Only 2% of targets were in North America. The targets within these regions were all banks, as well as their Android mobile banking apps available for download in the Google Play Store. Australia had one exception where an online classified ad site called Gumtree was targeted. The 7% “Global” are application and platform targets that are used worldwide such as the Android platform, social network companies like Facebook, email providers like Yahoo and Gmail, the WhatsApp and Viber messaging apps, PayPal, and eBay. (See target domain details driving these geographical breakdowns in the Marcher Targets section and Appendix A.)

Figure 2: Marcher targets by regions in March 2017

The following map shows the specific countries within the regions above that were targeted. The banks within those countries are detailed in Appendix A.

Figure 3: Marcher-targeted countries, March 2017

Campaigns and Targets

The common pattern in the latest configuration was distinct and repeated subfolders in the C&C details, such as 012, THREEHADFOUND, or jadafire. We classified the current online campaigns via these subfolder identifications as follows:

QUESTIONROADFAR campaigns target French banks as well as social network apps globally

C&C Servers Detected

In the following table, we’ve listed the 54 distinct C&C servers detected, 63% of which were using HTTPS. While monitoring Marcher activity in March, F5 researchers shut down 12 malicious C&C servers that were detected.

No.

C&C Server

Status

1

hxxp://stionguz.com/012/

Sinkholed

2

hxxp://asdhjfd24.ru/mail/

Offline

3

hxxp://propsyours.com/012

Sinkholed

4

hxxp://ausrusot.net/012

Sinkholed

5

hxxp://albumwink.net/012/

Sinkholed

6

hxxp://toddypross.net/012

Sinkholed

7

hxxp://aflyatok.men/012

Offline – shut down in March 2017 by F5 researchers

8

hxxp://samiy.site/012/

Offline – shut down in March 2017 by F5 researchers

9

hxxp://chaldear.com/012/

Sinkholed

10

hxxp://glennuniat.com/012/

Sinkholed

11

hxxp://joguce.info/012/

Offline – shut down in March 2017 by F5 researchers

12

hxxp://ciorrigh.info/012/

Offline – shut down in March 2017 by F5 researchers

13

hxxp://policywings.bid/012/

Offline – shut down in March 2017 by F5 researchers

14

hxxp://wigthsingls.bid/012/

Offline

15

hxxp://limesysleys.bid/012/

Offline – shut down in March 2017 by F5 researchers

16

hxxp://namessheds.bid/012/

Offline – shut down in March 2017 by F5 researchers

17

hxxp://bastebirk.com/012/

Sinkholed

18

hxxp://shapewhisk.com/012/

Sinkholed

19

hxxp://ahongdeash.net/012/

Sinkholed

20

hxxp://nsdas213123aa.ru/at/

Redirecting to RevDl.com

21

hxxps://soldatenccarmytriptheleader.at/jadafire/

Offline

22

hxxps://fisttheexo.at/jadafire/

Offline

23

hxxps://soldatenccarmythegaynation.at/jadafire/

Offline

24

hxxps://soldatenccarmy.at/jadafire/

Offline

25

hxxps://exofisty.at/jadafire/

Offline

26

hxxps://soldatenccarmygoldenshower.at/jadafire/

Offline

27

hxxps://consulting-center-performace.com/MANYUNIT/

Offline

28

hxxps://grapfix-desgin-ltd24.at/MANYUNIT/

Offline

29

hxxps://service-consultiong-ltd-spain.net/MANYUNIT/

Offline

30

hxxps://soulreaver.at/balls51/

Offline – shut down in March 2017 by F5 researchers

31

hxxps://divingforpearls.at/balls51/

Offline

32

hxxps://olimpogods.at/balls51/

Offline

33

hxxps://176.119.28.74/balls51/

Offline – shut down in March 2017 by F5 researchers

34

hxxps://nvah2p123.org/THREEHADFOUND/

Offline

35

hxxps://nvoa324.net/THREEHADFOUND/

Offline

36

hxxps://brkleo34.org/THREEHADFOUND/"

Offline

37

hxxps://app01.at/MUCHTHENWERESTO/

Offline

38

hxxps://app12.at/MUCHTHENWERESTO/

Offline

39

hxxps://ap11.at/MUCHTHENWERESTO/

Offline

40

hxxps://droidgrades.top/moon/

Offline – 404

41

hxxps://droidgrades.us/moon/

Offline – 404

42

hxxps://droidsg.pw/moon/

Offline – 404

43

hxxps://wasdashehe.net/TRUELESSCARBLAC/

Offline – shut down in March 2017 by F5 researchers

44

hxxps://wasdashehe.at/TRUELESSCARBLAC/

Offline – shut down in March 2017 by F5 researchers

45

hxxps://wasdashehe.com/TRUELESSCARBLAC/

Offline – shut down in March 2017 by F5 researchers

46

hxxp://45.32.240.33/1f/l/

Offline

47

hxxps://track-google.at/angelkelly/

Offline – 404

48

hxxps://trackgoogle.at/angelkelly/

Offline – 404

49

hxxps://secure-ingdirect.top/QUESTIONROADFAR/

Offline

50

hxxps://playsstore.net/QUESTIONROADFAR/

Offline

51

hxxps://playsstore.mobi/QUESTIONROADFAR/

Offline

52

hxxps://i-app4.online/MUCHTHENWERESTO/

Offline

53

hxxps://i-app5.online/MUCHTHENWERESTO/

Offline

54

hxxps://i-app1.online/MUCHTHENWERESTO/

Offline

Table 1: C&C servers and their statuses, March 2017

The 12 C&C servers that F5 shut down in March were associated with three campaigns—012, balls51, and TRUELESSCARBLAC—that primarily targeted banks in Europe. 012 was the most active campaign targeting German, Polish, Austrian, and Australian banks, followed by TRUELESSCARBLAC that also targeted German and Polish banks. The balls51 campaign targeted Austrian, German, and UK banks, as well as Latin American banks in Mexico, Argentina, Colombia, and Peru.

Figure 4: 12 Marcher campaigns running on 12 active C&C servers taken down in March 2017

Marcher Targets

We detected 172 targeted domains in March 2017. As expected, the majority (93%) were banks. A smaller but interesting portion of the targets were email providers like Yahoo and Gmail, social network and messaging apps like Facebook, Viber, and WhatsApp, and Gumtree, an Australian online classified ad app.

Figure 5: Marcher targets by industry

Most of Marcher’s domain targets are Google Play Store links where customers download the Android mobile app. In turn, most of the Google Play downloads are banking apps, but Marcher is also targeting Facebook, Viber, WhatsApp, Gmail, HTC, and Yahoo Android apps. (Yahoo, with 81 webinjects, is the biggest target outside of banks. See webinject target explanations below.) In most cases, Marcher targets a bank’s main site, mobile site, and Google Play Store Android app download collectively. (See details in Appendix A.)

The top 5 countries whose banks were targeted included Germany, Australia, France, Turkey, and Austria. The “Global” definition applies to PayPal and eBay versus the majority of Marcher’s targets that go after specific banks in specific countries.

Figure 7: Targeted banks by country

Several banking groups were targeted across multiple countries, including the ING Group in Austria, Australia, France, and Germany; the Santander Group across Europe and Latin America; and the Sparkasse Group throughout Germany and Austria.

Target Domain

Domain Owner

Target Country

ingdirect.com.au

ING Direct

Australia

au.com.ingdirect.android

ING Direct (Android App via Google Play)

Australia

com.IngDirectAndroid

ING Direct France (Android App via Google Play)

France

banking.ing-diba.de

ING-DiBa

Germany

banking.ing-diba.at

ING-DiBa

Austria

com.ing.diba.mbbr2

ING-DiBa (Android App via Google Play)

Germany

de.ing_diba.kontostand

ING-DiBa Kontostand (Android App via Google Play)

Germany

securebank.santander.de

Santander

Germany

mx.bancosantander.supermovil

Santander

Mexico

uk.co.santander.santanderUK

Santander

UK

mobile.santander.de

Santander (Android App via Google Play)

Germany

com.santander.app

Santander (Android App via Google Play)

Spain

cl.santander.smartphone

Santander Chile (Android App via Google Play)

Chile

ar.com.santander.rio.mbanking

Santander Rio

Argentina

netbanking.sparkasse.at

Sparkasse

Austria

m.netbanking.sparkasse.at

Sparkasse

Austria

com.starfinanz.smob.android.sbanking

Sparkasse (Android App via Google Play)

Germany

com.starfinanz.smob.android.sfinanzstatus

Sparkasse (Android App via Google Play)

Germany

banking.berliner-sparkasse.de

Sparkasse Berliner

Germany

bankingportal.sparkasse-bielefeld.de

Sparkasse Bielefeld

Germany

bankingportal.sparkasse-bochum.de

Sparkasse Bochum

Germany

bankingportal.sparkasse-dortmund.de

Sparkasse Dortmund

Germany

bankingportal.sparkasse-duisburg.de

Sparkasse Duisburg

Germany

bankingportal.frankfurter-sparkasse.de

Sparkasse Frankfurter

Germany

banking.sparkasse-hannover.de

Sparkasse Hannover

Germany

bankingportal.sparkasse-koelnbonn.de

Sparkasse Koelnbonn

Germany

banking.sparkasse-leipzig.de

Sparkasse Leipzig

Germany

banking.sparkasse-leipzig.de

Sparkasse Leipzig

Germany

banking.sparkasse-muensterland-ost.de

Sparkasse Muensterland

Germany

portal.sparkasse-nuernberg.de

Sparkasse Nuernberg

Germany

Table 2: Banking groups targeted across multiple countries

What’s also notable in terms of targets is how many webinjects the Marcher authors created for a particular banking institution. This is a direct indicator of the high priority the authors placed on certain banks. Table 3 represents the top 25 targeted URLs. These are all banks that were targeted directly (rather than their respective Android banking apps available for download in the Google Play Store).

Target Domain

Domain Owner

Target Country

Target Industry

Webinjects Detected

finanzportal.fiducia.de

Fiducia & GAD IT

Germany

Banking

553

bankwest.com.au

Bankwest

Australia

Banking

348

stgeorge.com.au

St. George

Australia

Banking

327

ibs.bankwest.com.au

Bank West

Australia

Banking

316

isube.garanti.com.tr

Garanti Bank

Turkey

Banking

316

sube.halkbank.com.tr

Halkbank

Turkey

Banking

316

www.isbank.com.tr

Isbank

Turkey

Banking

316

banksa.com.au

Bank of South Australia

Australia

Banking

269

westpac.com.au

Westpac

Australia

Banking

248

ibanking.stgeorge.com.au

St. George

Australia

Banking

237

banking.westpac.com.au

Westpac

Australia

Banking

237

bireysel.ziraatbank.com.tr

Ziraat Bank

Turkey

Banking

237

commbank.com.au

Commonwealth Bank

Australia

Banking

171

fr.banquepopulaire.cyberplus

Cyberplus

France

Banking

165

ibanking.banksa.com.au

BankSA

Australia

Banking

158

mobile.bankaustria.at

Bank Austria

Austria

Banking

158

banking.raiffeisen.at

Raiffeisen ELBA

Austria

Banking

158

netbanking.sparkasse.at

Sparkasse

Austria

Banking

158

internetsubesi.akbank.com

Ak Bank

Turkey

Banking

158

www.isbank.com.tr/TicariInternet

Isbank

Turkey

Banking

158

subesizbankacilik.vakifbank.com.tr

Vakif Bank

Turkey

Banking

158

yapikredi.com.tr

Yapi Kredi

Turkey

Banking

158

kurumsal.ziraatbank.com.tr

Ziraat Bank

Turkey

Banking

158

ostsaechsische-sparkasse-dresden.de

Ostsaechsische Sparkasse Group

Germany

Banking

147

de.commerzbanking.mobil

Commerz Banking (Android App via Google Play)

Germany

Banking

147

Table 3: Top targeted banks by webinject quantity

Conclusion

Attackers know that tricking (socially engineering) general Internet users to download a fake (malicious) app or give up their credentials is much easier than targeting a bank’s network directly, so it’s no surprise when they set their sights directly on users through the services and apps they most often use, like email, social media, messaging services, eBay, and others. CISOs and users alike are advised to beware of the serious threat of Android malware campaigns. These campaigns continue to evolve by getting better at tricking user targets and evading detection. As the mobile app and device footprint grows worldwide, this poses an ever-growing threat to financial institutions having to deal with users pointing their finger at the bank when they are defrauded.

In the U.S., there have been several such finger-pointing cases over who is responsible for fraud based on stolen credentials. Even though banks have come out ahead in liability legal battles (after all, the customer got hacked, not the bank), these cases have generated a raft of negative publicity for banks.4

The blamestorming got so bad in the U.S. that financial regulators stepped in and put stronger requirements on banks to combat stolen credentials.5 Now that we’re seeing a replay of these same attacks on mobile devices, the whole cycle of anger and blame could repeat itself if we’re not careful.

From a corporate point of view, mobile devices should either be managed or untrusted. Banking attacks are easy money for cyber-criminals, but the ongoing evolution of the malware into additional applications demonstrates that nothing is safe. Because this is a challenging problem for most financial institutions, many are choosing to leverage security vendors that specialize in web and fraud protections for financial institutions, acting on their behalf to identify banking Trojans that target them and get them shut down.

About the F5 Security Operations Center

The F5 Security Operations Center (SOC) protects customers from malware, phishing, and web fraud with proactive, 24x7 real-time global threat monitoring. The efforts to identify and take down the 12 active Marcher C&C servers in March were completed by the F5 SOC.